After a series of recent attacks, the notorious BlackCat ransomware could get a whole lot nastier, according to new research.
A Sophos report stated that the threat actors behind the ransomware now appear to have added the Brute Ratel tool to their arsenal, making the tool even more dangerous.
Brute Ratel is an attack simulation and penetration testing tool, similar to but less well known than, for example, Cobalt Strike.
Target outdated systems
"What we've seen recently with BlackCat and other attacks is that threat actors are very effective and efficient at their job. They use proven methods, like attacking vulnerable firewalls and VPNs, because they know they still work, but they're innovating to bypass defenses from such as switching to the new C2 post-exploit framework Brute Ratel in their attacks,” said (opens in a new tab) Christopher Budd, senior director of threat research at Sophos.
Brute Ratel is not the only tool used, as analysis of previous incidents has shown that BlackCat uses other open source and commercially available tools to create additional backdoors and exploit other remote access alternatives, such as TeamViewer or nGrok. Obviously, Cobalt Strike was also used.
BlackCat operators typically look to outdated firewalls (opens in a new tab) and unpatched VPN services as their initial point of entry. Since December 2021, they have managed to successfully infiltrate at least four organizations, taking advantage of firewall vulnerabilities.
Once they gain access to the network, they will use the firewalls to extract the credentials and freely move laterally through the system.
BlackCat does not appear to favor any particular victim, as the threat targets businesses in the US, Europe, and Asia.
The only prerequisite for an attack is that the company is operating on systems that have reached the end of their useful life, do not have multi-factor authentication or VPNs, and use flat networks (where each endpoint has visibility into all other terminals in the network).
“The common denominator of all these attacks is that they were easy to carry out. In one case, the same BlackCat attackers installed cryptominers a month before releasing the ransomware. This latest research highlights how important it is to follow established security best practices; they still have a lot of power to prevent and thwart attacks, including multiple attacks against a single network. »